Thoughts from DFIRLABS

Last time, I gave a little background on digital evidence – where it comes from, why it’s relevant and how it should be gathered. Now we get to the interesting, finicky part: how does the legal system deal with digital evidence? (Disclaimer: this is the part where I say that I’m not a lawyer, no matter how much I loved Suits and The Good Wife).

I am from South Africa, so I’m mainly coming from a South African legal context and perspective (this is not to say that these issues won’t affect you if you’re from another country – these considerations are rather universal, and different countries have different ways when it comes to addressing them).

In a great informative paper written by Prof Murdoch Watney on the South African legal position regarding electronic evidence, the legal questions and concerns surrounding digital (or electronic) evidence are grouped into two main categories:

Determining admissibility of a data message as electronic evidence

Once the electronic evidence is admitted, what evidential weight can be attached to it?

While these issues can legally get quite complex, I’ll be addressing it from the digital forensic examiner’s point of view – the ways we try and ensure that the evidence we extract is correct, unaltered and interpreted correctly.

Admissibility

Everyone who’s worked with a computer likely knows how easily files and their metadata can be altered. The mere act of logging onto a computer (no matter if you’re the end user or the investigator) can alter the device’s state, thereby altering the source of evidence – now we’re seeing issues of integrity and originality being raised, which can easily influence the evidence’s admissibility in court. This is why we use the process of “imaging” (which I briefly mentioned in Part I) to preserve evidence correctly. Imaging a device results in a read-only image or “clone” of the original device’s entire storage (or file directory, depending on the needs of a case). The data/potential evidence is essentially stored in a forensic container and verified via hashing. During the verification process, the hash calculated over the forensic image is compared to the hash calculated over the original evidence in order to ensure that no alterations occurred during the imaging process. Imaging also has the advantage of eliminating our reliance on the device that the evidence was found on, i.e. the suspect’s mobile phone or laptop, since we now have an image file that we can safely store and work with.

I was watching a fabulous Korean legal drama called Witch’s Court (마녀의 법정) the other day. However, in one of its less-fabulous moments, the prosecutors had obtained a tablet that contained incriminating video evidence that they were building their case around. First, they watched the videos on the tablet itself (no forensic imaging, or any attempt to preserve the evidence, was made!). Later, they discovered the videos had been purposely deleted off the tablet - while in their custody - due to an app installed on it. Cue the panic that their evidence was gone. Meanwhile, I was incoherently yelling at the screen that this wouldn’t have been a problem if your forensics people had been following theproper procedures! (I’m super fun at parties). Luckily it worked out all right in the end, if you’d been stressing.

Evidential Weight

Prof Watney goes on to talk about how the evidential weight of an exhibit is decided by the court, and how several guidelines as laid out by Section 15 of the Electronic Communications and Transactions Act 25 of 2002 must be followed. One line I’d like to draw attention to in Prof Watney’s paper is this one: “…in using these guidelines a court will probably need some expert help to understand technical procedures…”.​It’s easy to misinterpret digital evidence, especially if one doesn’t have a technical background (or even if you do, sometimes). One of the most infamous examples of the misinterpretation of digital evidence is the Casey Anthony trial – two separate forensic tools gave differing outputs after parsing a Mozilla database, and the prosecution’s case suffered when it was determined that their interpretation was incorrect (a fantastic, technical breakdown of digital forensics side of the case circumstances can be found here). The sheer complexity of the systems that are being dealt with in digital forensics – whether it’s Windows, Android, iOS, or any of the numerous third party data structures we find within these environments – means that a deep technical understanding of computers is a must.

Avoiding mistakes like these is why it’s so important that a digital forensics examiner understands not only the systems and data structures of the evidence they’re examining, but also the workings and limitations of the forensic tool being used to conduct the examination. This means education and training in the technical aspects of IT systems; it means quality assurance on all forensic reports originating from a digital examination and analysis; it means the verification and validation of forensic tools. It means that the digital forensic examiner must do everything in his or her power to ensure that the interpretation of evidence provided is as accurate and correct as possible – because ultimately, people’s lives and futures may very well be on the line.